CVE-2024-7560

NVD Published Date: August 08, 2024 at 02:15 AM
NVD Last Modified: August 08, 2024 at 01:04 PM
Download Patch
Vulnerability ID
CVE-2024-7560
Severity
HIGH
Severity Score
7.2
Summary
The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflash_post_meta meta value. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Mitigation and Patches
-
Exploits
-
Metasploit Payload
-
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE ID
None

Recent Publish

CVE-2024-7486

CVE-2024-7561

CVE-2024-21302

CVE-2024-7492

CVE-2024-7350

CVE-2024-6552

See SecOps Solution
in action

Schedule Demo